CVE-2025-66370 MEDIUM

CVE-2025-66370

Vendor Kivitendo
Product kivitendo
Weakness CWE-611 · XXE
Published November 28, 2025
Last update January 15, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

Key dates

02Disclosure timeline

November 28, 2025 CVE published
January 15, 2026 Record updated